Tuesday, 30 September 2014

Either the
European Commission’s internal visual design teams have had a new boss, or this summer’s crop of
interns have been allowed to produce a document that looked great even to them.

However it
happened, I do congratulate whoever was responsible for signing off this
factsheet which explains elements of data protection law in such a visually
engaging manner.

Lots of
colour, great fonts, nice use of a discrete watermark, the text was
easy to follow.

This
factsheet was on the “right to be forgotten” – and designed, in part, to lower public
expectations on how strong a “right” it actually was. Six myths were presented,
which were then demolished (in plain English, rather than in Eurospeak):

Myth 1: “The judgment does nothing for citizens”

Myth 2: “The judgment entails the deletion of content”

Myth 3: “The judgment contradicts freedom of expression”

Myth 4: “The judgment allows for censorship”

Myth 5: “The judgment will change the way the internet works”

Myth 6: “The judgment renders the data protection reform
redundant”

Yes, you can
write about data protection in terms that citizens can understand.

It’s
instructive to compare this document with language used in the Article 29
Working Party’s latest missive.Why oh
why, if the Commission is capable of writing in such a direct style, doesn’t the Working
Party issue documents like this? Is it done deliberately, to ensure that very few journalists actually use the press release?

OK, it may be
a question of resources, or perhaps the Working Party may feel it necessary to
couch its language in more formal terms, as lawyers are generally more
comfortable reading such texts. But our world moves far beyond that inhabited by lawyers – and the
Working Party should do more to reach out to European citizens, using language
they are more likely to comprehend, rather than restrict its focus to a small
data protection elite.

If only the Working Party could hire the same visual design teams / interns.
Then, perhaps, more of their material might reach a wider audience. Failing that, they might like to use the team that prepares the ICO’s documents, as they are written in Plain English,
too.

Some Working
Party opinions, after all, are quite useful – but it is a shame that so much of
their stuff is so hard to read.

Monday, 29 September 2014

ICO watchers (of whom there are many) are generally keen to track subtle changes that occur within the
organisation. Thanks to the ICO’s transparency agenda, the published minutes of
internal meetings are always a useful source of intelligence. Significant ICO initiatives
are usually accompanied by a press release, but every now and again other stuff
happens which, in a more opaque organisation, might never have been disclosed
to the public at large.

Did you know, for example, that the ICO’s
Information Rights Committee meets regularly to exchange views on relevant
issues?

If you were to glance at the minutes of its
meeting held on 12 August, you may be interested to learn that it has carried
out a review of its priority action groups and other cross-office groups.

Deputy Commissioner David Smith introduced a
paper aimed at ensuring the various ICO internal groups with an information
rights agenda are clearly defined, effective and able to deliver relevant
priorities. Evidently, there is a risk that if groups are not established in
the correct way, then opportunities may be lost or some duplication of effort
may occur.

After some deliberation, the following
recommendations were agreed:

·Priority Area Groups concept will be
retained, albeit with the groups being renamed as Priority Area Action Groups
(PAAGs)

Friday, 26 September 2014

Who else gets to contemplate
horribly complicated issues, treading a fine line between the needs of
citizens, global organisations, public authorities and SMEs?

And who else gets to contemplate
it in Mauritius?

From 13 to 16 October, some of
the worlds finest data protection minds will be working out how to keep the
sand out of their laptops as they contemplate more effective ways to regulate
the digital universe.

The theme of the 36th international
data protection and privacy commissioners conferenceis “A world order for data protection – our
dream coming true?”

One look at the host’s website
certainly indicates that someone’s dream will be coming true. If anyone ever
wanted to know about data protection and snorkeling, then this the
place to go. Oh, to be paid to attend a privacy conference at a stunning
resort hotel, located on pristine white sands overlooking the bay of Balaclava. I want that job.

I should not snide though. I’m likely
to be in London (or Dublin) helping data controllers appreciate how best to
avoid the critical gaze of their regulator. Not in the tropics.

To be fair, the delegates in Mauritius will be
faced with a pretty packed programme. And I do hope that a good number remain
for the final speaker,Marie Georges. A good number of them will probably never
have heard of her. Even her job title, “Independent Expert and Member of
the Fundamental Rights European Expert Group,” doesn’t give that much
away.

But I know better.

I still I last saw her a few months ago in Brussels, and first
met her several decades ago.Marie was
(effectively) the person who drafted much of what we have come to know and love
as the 1995 Data Protection Directive. Yes, it is her work that has become so
out-of-date that it now needs to be replaced by another legal instrument. So it
is probably fitting that the regulators should thank her politely before consigning
her work to the statutory waste paper bin.

I have vivid memories of happy times, punting with her on the
river Cam, during a privacy conference in Cambridge. Well, to be fair, some Cambridge graduate was doing all the punting.
We were both just enjoying a glass or two of bubbly – as well as the view. I didn’t
agree on her views on privacy back then, particularly on her insistence that it
was right that policymakers be able to argue and negotiate their positions on
the then (draft) Data Protection Directive in private, rather than in public.

I’m not sure whether she has changed her views about many data
controllers. Particularly about those who shouted at her during the conference when they
didn’t agree with her views on the need for tighter rules on direct marketing.
Yes, data protection was a hotly contested topic back then, too.

To be fair, I don’t expect that the delegates will be shouting
at each other this year. Many already know what they think about each other,
and that’s enough.

I predict that we won’t be seeing too many public displays of
disaffection.

Perhaps an argument about how to moderate public expectations of
privacy in an internet age. Google will probably get another going over.

And perhaps a murmur of gratitude from the consultants present
to thank the regulators for making data protection laws so complicated that
data controllers will absolutely have to rely on their advices even more over
the coming years.

Then, everyone can close their laptops and, if they have time
before their long flight home, appreciate whatever other delights Mauritius has
to offer the tired traveller.

Thursday, 25 September 2014

All eyes are currently on the British
Standards Institute, as the soft launch of its new accreditation framework for BS 10012 has commenced. How quickly will it take off, bearing in mind the ICO’s
intention to endorse (at least) one privacy seal scheme next year? Will
organisations wait until it is clear whether this scheme has been officially
endorsed by the ICO, or will they be brave and apply for BSI accreditation now?

For those not in the know, BS
10012 is the framework that sets up a personal information management system.
If you need reassurance that your organisation meets the requirements of British
data protection legislation, then this is the standard for you. If data
controllers want to demonstrate “accountability,” they will benefit from being
capable of complying with this standard.

Like all accountability
frameworks, the point is that they are designed, as the BSI explains, to:

Identify risks to personal information and put controls in
place to manage or reduce them.

Some organisations might not want
to open their internal systems up to the scrutiny of a BSI auditor until they
are reasonably confident that the systems are reasonably robust. Few
organisations relish the prospect of strangers poking around for dirty laundry.
But they might want some help from an expert who is familiar with the standard,
nonetheless.

As someone who served on the
working party responsible for writing that standard, I’m in a good position to
offer some useful advice.

If you are interested in a frank
review of your systems (or if you just want to know what it is that the law
says you ought to be doing), then please feel free to contact me.

About Me

I'm Martin Hoskins, and I started this blog to offer somewhat of an irreverent approach to data protection issues. As time has passed, the tone of my posts have become more serious.
I'm not a "high priest" of data protection. I focus on the principles of transparency, fairness, practicality, risk-assessment and pragmatism when dealing with issues, rather than applying every aspect of every data protection rule.
While I may occasionally appear to criticise various organisations with which I am or have been associated, I write here in an entirely personal capacity, so these comments should never be taken to represent anyone else's views on what I write about.
I occasionally tweet as @DataProtector.
You can contact me at:
info@martinhoskins.com.